Rollout: F-Secure Client Security 7

New features and lower pricing make Client Security 7 a good fit for many businesses. But is that enough to entice enterprises to replace their existing security software?

June 6, 2007

6 Min Read
Network Computing logo

The Upshot

Claim
F-Secure Client Security 7 aims to provide a comprehensive security suite to protect Windows desktops and servers without breaking the bank. New rootkit detection software is added to both signature- and behavioral-based detection capabilities. It's sized for deployments of five to 15,000 hosts.
Context
Most conventional antivirus vendors offer all-in-one security suites that include anti-spyware and firewall capabilities. F-Secure distinguishes itself with its Blacklight rootkit detector and low price, but its feature set is comparable to products from McAfee and Symantec.
Credibility
Client Security 7 performs well and is easy to manage. It's also less expensive than competing products, making it ideal for a business that doesn't have a managed security suite in place or that is looking to reduce licensing costs. But that may not be enough to entice satisfied enterprises to rip and replace existing security software..

FEATURED PRODUCT:
F-Secure Client Security 7

When it comes to client security suites, McAfee and Symantec are Coke and Pepsi. They are ubiquitous, most enterprises already consume one or the other, and both generally provide the same experience. The goal for smaller vendors like F-Secure, Kaspersky Lab, Sophos and Trend Micro is to convince customers that there's a reason to try a third brand.

F-Secure has a two-pronged strategy: Address emerging threats and compete on price. Its Client Security 7 adds rootkit detection to a solid portfolio that includes anti-malware detection and removal, a stateful firewall, and intrusion prevention. Rootkits hide malicious programs from conventional security software, and their use is on the rise. However, technological advantages are fleeting; McAfee and Symantec have introduced rootkit detection to their enterprise client suites.

Price may be a more compelling argument: F-Secure offers similar features and a good management platform--F-Secure Policy Manager lets admins push clients to PCs, create and configure policies, and report on events--at a fraction of the cost of a product from the Big Two.Hidden Problems

Rootkits are used to hide the signs of compromise or infection by manipulating user-mode programs (such as Windows Explorer) or kernel-level APIs (such as the low-level interface Explorer uses to access a directory listing) so that they cannot see certain files. Sony got lots of bad press for using rootkit-like technology to hide the DRM (digital rights management) software on some of its music CDs (and F-Secure and security researcher Mark Russinovich can each claim credit for blowing the whistle on Sony). More alarming, malware authors increasingly use rootkit technology to hide malicious software on compromised machines.

Blacklight, F-Secure's rootkit-detection software, is well-integrated with the rest of the client suite. It works by interrogating the OS in a number of ways for signs that a program may be manipulating registries, APIs or system calls. It runs during full scans of the computer, and the presence of rootkits is reported in the same manner as viruses and spyware. Blacklight quickly cleaned up our sample rootkits and deleted or quarantined the files.


Security Suite Comparison
Click to enlarge in another window

The Good And The BadF-Secure's product also performs well on a number of other fronts. When we installed it in our University of Florida Real-World Labs®, it quickly identified the viruses and spyware we had planted on our systems, prevented us from downloading viruses from a Web site, and blocked network probes and attacks.

The firewall feature includes a location-aware capability, with which IT can adjust settings depending on the computer's whereabouts. The software can let a user enable file and printer sharing while at the office, for instance, but restrict it everywhere else. We also centrally configured network access for applications, which prevents rogue apps and malware from communicating with command systems on the Internet.

F-Secure Client Security includes a behavioral-based HIPS (host intrusion-prevention system) called DeepGuard. As in other security suites, this system is a double-edged sword--DeepGuard found and blocked port scans and other malicious traffic, but also warned us about some unusual, but harmless, traffic.

To its credit, F-Secure's product can log packet data, which helps security administrators determine if traffic is really malicious. When Client Security showed a steady stream of intrusion attempts from one of the servers on our network, we had it capture packet data, then loaded the file into Wireshark, where we discovered the "attacks" were just harmless Novell Cluster Services heartbeat broadcasts. Although we could use the management interface to configure a firewall rule to ignore this type of traffic from this host, a simple button that would have let us tell the client to stop alerting on this particular traffic would be welcome.

Client Security also detected a number of programs on our systems that it classified as "riskware." This is software, such as a network scanner or system-diagnostic tool, that isn't necessarily bad, but could be used by an attacker or malicious employee to compromise security. The presence of such programs is often a first sign of trouble. However, Client Security didn't recognize a Serv-U FTPd server we installed as riskware; it should have. Serv-U FTPd is used almost exclusively by file traders to distribute unlicensed copyrighted material. F-Secure's riskware default settings could be more comprehensive.Keeping Track

The F-Secure Policy Manager provides an almost dizzying array of information and configuration options for the clients. But a convenient tabbed grouping of functions--installation, alerts, status--keeps it manageable. Policy Manager automates downloading and distributing detection updates and includes dedicated proxy software that can be installed at remote sites to reduce the load on WAN links. As you'd expect, Policy Manager lets administrators create group policies with different settings depending on the group. Alerts about viruses, rootkits and network attacks found on the clients are reported to the console and can be sent to an e-mail address, a syslog server or SNMP console.

The Policy Manager console can be used to configure a custom version of the client software, then push it to other networked computers. It also can build an installer package that you copy to your clients and install manually. However, then you must import the clients to the Policy Manager's control--an extra step that seems unnecessary. Policy Manager tracks some basic information on clients, but doesn't include the breadth of inventory information that McAfee's ePolicy Orchestrator collects, such as disk utilization.

F-Secure Client Security 7 is a capable security suite that is nicely integrated both on the client and management side--but so is most of the software in this class. An enterprise that has deployed a client-protection suite is unlikely to switch to F-Secure based simply on features. So F-Secure's greatest advantage is price. It costs $29.95 per PC for 100 licenses--a per-PC savings of more than $60 compared with a similar suite from McAfee. n

Avi Baumstein is an information security analyst at the University Of Florida's Health Science Center. Write to him at [email protected].0

SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox
Sign-Up
More Insights
Webinars
More Webinars
Reports
More Reports
Webinars
More Webinars
White Papers
More White Papers
Reports
More Reports
Live Events
More Live Events